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Abstract. The characteristic novelty of what is generally meant by a 
"physical unclonable function" (PUF) is precisely defined, in order to 
supply a firm basis for security evaluations and the proposal of new 
security mechanisms. A PUF is defined as a hardware device which im- 
plements a physical function with an output value that changes with its 
argument. A PUF can be clonable, but a secure PUF must be unclon- 
able. 

This proposed meaning of a PUF is cleanly delineated from the closely re- 
lated concepts of "conventional unclonable function" , "physically obfus- 
cated key" , "random- number generator", "controlled PUF" and "strong 
PUF". The structure of a systematic security evaluation of a PUF en- 
abled by the proposed formal definition is outlined. Practically all current 
and novel physical (but not conventional) unclonable physical functions 
are PUFs by our definition. Thereby the proposed definition captures 
the existing intuition about what is a PUF and remains flexible enough 
to encompass further research. 

In a second part we quantitatively characterize two classes of PUF secu- 
rity mechanisms, the standard one, based on a minimum secret read-out 
time, and a novel one, based on challenge-dependent erasure of stored 
information. The new mechanism is shown to allow in principle the con- 
struction of a "quantum-PUF" , that is absolutely secure while not re- 
quiring the storage of an exponentially large secret. The construction 
of a PUF that is mathematically and physically unclonable in principle 
does not contradict the laws of physics. 



1 Introduction 



1.1 Aims and outline of this work 

"Physical unclonable functions" (PUFs) are electronic hardware devices that 
are hard to reproduce and can be uniquely identified |14l8j . They promise to 
enable qualitatively novel security mechanisms (see e.g. [219110] ) and have con- 
sequently become a "hot topic" in hardware security [5]. The present work asks 
the question "What characteristics exactly define the qualitative novelty of the 
PUF concept?" . We hope that a precise answer will aid the security evaluation 
of existing PUFs and help to develop new ideas for PUF security mechanisms. 
We searched for 
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1 . a formal definition of the properties that are required from a hardware device 
to be called "PUF" , and a 

2. a formal definition of the criteria that have to be fulfilled to consider a PUF 
"unclonable" . 

The formal PUF definition should not suffer from weaknesses of previous defi- 
nitions (see section [L2|) . encompass at least the large majority of the existing 
PUF constructions, and be as flexible as possible, i.e. does not restrict further 
progress in PUF development (e.g. by demanding constructional details, like 
the amount of stored information). This aim is achieved in section \2A\ After 
formulating a simple definition of PUF-security (based on Armknecht et al.[l]) 
in section 12.21 we delineate PUFs from some closely related security concepts 
(section [3]) and outline the elements of a PUF-security evaluation (section HJ. 
In a second part of the paper we systematically analyse and classify PUF secu- 
rity mechanisms and calculate their quantitative security levels against attacks 
that attempt mathematical cloning (section [5]). The aims of this section are 
to give a quantitative answer to Maes & Verbauwhede'sp^ question whether 
mathematically-unclonable PUFs are possible in principle, and to apply and 
thereby illustrate the PUF-definitions of the first part of the paper. In section [S] 
we characterise the qualitative novelty of PUFs as a new primitive of physical 
cryptography and discuss the future use and development of PUFs. 

1.2 Previous work on the definition of a PUF 

There have already been several proposal for the first definition of required PUF 
properties. Gassend et al. 8^ who invented the term "PUF" (earlier work by 
Pappu was on the slightly different concept of a physical one-way function [TJ]) 
demand that the function must be "easy to evaluate" , i.e. it must efficiently 
yield a response value "R" for a challenge argument "C" . and "hard to predict 
(characterize)". The latter property means that an attacker who has obtained a 
polynomial number of C - R pairs (CRPs) but has no longer physical access to 
the PUF can only extract a negligible amount of information about the R for a 
random C. Riihrmair et al.|I5J criticised this definition because the information 
content of finite physical objects is always polynomially bound, and therefore 
no PUF fulfilling this definition can exist. They propose an alternative formal 
definition in which the PUF must only be hard to predict for an attacker "who 
may execute any physical operation allowed by the current stage of technology" . 
Maes & Verbauwhede [IB] chose to exclude unpredictability from their "least 
common property subset" of PUFs, because they put into question whether it 
is possible in principle to construct a mathematically unclonable PUF. They 
demand that a PUF is "easy to evaluate" (property "evaluatable" ) and that 
it is "reproducible", meaning that a C always leads to the same R within a 
small error. Moreover they demand "physical unclonability" i.e. that it must be 
"hard" for an attacker to construct a device that reproduces the behaviour of 
the PUF. However, PUFs that are mathematically clonable are also physically 
clonable because the mathematical algorithm for PF can then be implemented 
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on a device that is then a functional physical clone of the PUF. Summarizing, 
a first generation of definitions roughly defined PUFs to be devices that are 
efficiently evaluatable and are mathematically and physically unclonable. They 
remain unsatisfactory for two reasons: 

1. Most of the devices currently called PUFs do not fulfill these definitions 
(according to Riihrmair et al.TF there are only some "candidates"), i.e. the 
definition does evidently not really capture the PUF concept. 

2. They combine the definition of a PUF with the definition of its security, 
i.e. points 1. and 2. above. A PUF is defined by its unclonability i.e. its 
security against attacks. This is problematic because an open-ended security 
analysis of a PUF clearly must have an "insecure PUF" as one a priori 
possible outcome. Based on the above definitions an "insecure PUF" is a 
paradox, PUFs would be secure by definition. 

These two problems were elegantly solved in a seminal paper by Armknecht et 
al.p who propose to formalize a PUF as "physical function ("PF") - which 
is a physical device that maps bit-string-challenges "C" to bit-string-responses 
"R" . The unclonability is recognized by Armknecht et al. as only one crucial 
security property, that they further formally define in great detail. We will sup- 
ply a simplified version of their general security definition in section 12.21 below. 
Following Armknecht et al., the PUF definition 1. consists in an answer to the 
question: What are the required characteristics of PF() in order to be a PUF? 
Armknecht et al. do not demand any specific mathematical properties but only 
that a PF is a "probabilistic procedure" that maps a set of challenges to a set of 
responses and that internally PF is a combination of a physical component and 
an evaluation procedure that creates a response. Armknecht et al. explain that 
the responses rely heavily on the properties of the physical component but also 
on uncontrollable random noise (hence "probabilistic"). This definition of PF() 
still faces the following problem: 

- Consider a standard authentication chip with a stored secret in a physically 
protected memory that calculates a response from the challenge and the se- 
cret. Such a chip must contain a "physical component" (the memory) and 
an evaluation procedure (its read-out) that fulfills Armknecht et al.'s defini- 
tion because some (very small) uncontrollable random noise is unavoidable 
even in standard computer memories. There is also no reason why a well 
designed standard authentication chip cannot posess Armknecht et al.'s se- 
curity properties. 

Therefore, even though Armknecht et al.'s definitions constitute great progress 
of lasting value, they still do not capture the distinctive properties of the PUF 
concept. In practice Armknecht et al. define all devices that run any challenge- 
response protocol as PUFs. 
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2 A model of the PUF concept 
2.1 Formal definition of "PUF" 

In the following we assume Armknecht et al.'s model of a PUF as physical 
function PF() (see section FO]) . We break up the physical function PF() into 
three steps (see fig.([T])). C,S,-,S and R are bit strings. 

1. In the first "physical read-out" step PFi — S^, internal information Sr (the 
"raw secret" ) is physically read-out from the PUF in response to a challenge 
C foreseen by the system architecture. 

2. In an optional second step PF2(Sr) = S error correction and/or privacy 
amplification are performed, such that errors in the read-out are corrected 
and parts of which may be known by the attacker (e.g. by guessing parts 
of the challenge) are removed by privacy amplification algorithms. 

3. In an optional third step PF3(S) = R, some additional algorithm is performed 
with S as input to calculate the final response R. Typically PF3 is some 
cryptographic protocol that proves the possession of S without disclosing it. 

In many existing PUF architectures the challenge C is an address of information 
inside the PUF which is output as the response R. E.g. in arbiter PUFs[TT] C 
defines the choice of a set of delay switches whose cumulative delay path defines 
S (and from this R) . Our idea is that the possibility for this mode of addressing, 
rather than its "unclonability" , defines a PUF. The challenge C can then be 
understood as a key required for physical access to the response R. R remains 
secret without access to C. 

A security architecture based on this idea requires certain properties of PF() 
which define the PUF concept: 

- Formal Definition 1 of a PUF A hardware device is called "PUF" if: 

a. a physical function PF2(PFi ()) which is deterministic for a specific set of 
challenges 9Jt, can he evaluated with each challenge at least once and 
h. the value S — PF2{PF\(C)) changes with its argument, for all outside 
challenges C G 9Jl, i.e. PF2(PFi(C)) = S is not a constant function. 

One difference to some previous PUF definitions is that PF() is not required to 
be easily evaluatable. An efficient evaluation of S is certainly a desirable design 
goal, but there is no reason why a device with inefficient read out cannot be a 
PUF by definition. 

Another difference to most previous definitions is that it allows a PUF to be 
clonable. As an example consider the following physical function that fulfills the 
above definition 1: 

- PFi(any C with more Is than Os) = 1001101101 

- PFi(any C with more Os than Is or equal number of Is and Os) — 0001101000 

Clearly a PUF with this PFi can be reproduced by a trivial algorithm, i.e. it is 
trivially mathematically clonable. This is a desirable property because "clonable 
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Fig. 1. Symbolic model of a PUF The box delineates the PUF that receives 
a challenge C (shown with an example bit string) and sends a response R that is 
determined in three distinct steps. The first step is the physical readout, the second 
the correction of errors that can occur in the first step and the third step includes all 
operations of mathematical cryptography. 



PUFs" do exist in the real world and should not present a PUF definition with 
a paradox. "Unclonability" is then a property that is aimed for, rather than 
achieved by definition. Analogously "cryptography" aims for secrecy (crypto) 
rather than achieving it by definition. Even though it is a child's game to break 
it, the Cesar cipher is a valid cryptographical algorithm according to this defini- 
tion. Consequently cryptographic algorithms are commonly defined to be "key- 
dependent injective" (rather than "unbreakable") mappings" [20j . 
Where does this leave PUF security? It is not possible in principle to extract 
the secret S from a PUF without knowing of the challenge. This is true even for 
the above insecure PUF. However in the example above it is easy to reproduce 
PFi, and therefore, as soon as the challenge becomes known, S becomes known. 
Therefore the crucial necessary objective for the security of a PUF is the unclon- 
ability of PF2(PFi()). In the next section we make this insight more precise. A 
complete and quantitative set of security requirements (i.e. with requirements on 
their length the number of independent challenges N etc.) can only be made 
in the context of a concrete PUF architecture. One example is discussed further 
in section [5T] 



2.2 Security of a PUF 



Requirements for prediction Even though the response of a PUF can in 
principle be used for various purposes, we will conclude in section [6] that one 
central PUF capability is the distribution of remote authentication secrets. If S 
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is used for authentication purposes, an attacker must be able to fully predict 
it, i.e. a partial prediction of S=PF2(PFi(C)) for a given argument C will not 
be considered a successful attack in the following. Therefore, the natural "basic 
objective" of PUF security is that the attacker cannot predict a complete, correct 
bit string S for a given bit string C. 

Attack models Security can only be defined relative to an attack model, that 
lays down the assumptions about the security environment. We assume in the 
following two models from the literature that seem realistic in practice. The first 
one models an attempt to break Armknecht et al.'spP selective unclonabilitjQ. 
It does not put any restriction on the attack strategy, therefore adaptive choices 
of challenges are possibleH. The second one is an attempt to do the same with a 
certain reasonable amount of insider knowledge. Both models assume that the 
attacker has only access to one single PUF, i.e. attacks exploiting correlations 
between different PFs are excluded by assumption (see Armknecht et al.[I] for 
the general case). 

Attack model 1: "Outsider attack": The attacker has physical access only to the 
attacked PUF only for a finite amount of time Ata- After this access period, she 
tries to predict a secret S from the PUF to a challenge C, randomly chosen from 
the set of all challenges. She has no knowledge of the set of challenges and secrets 
that will he used during the active lifetime of the PUF or any further previous 
knowledge of the PUF. 

Attack model 2: "Insider attack": The attacker has physical access only to the 
attacked PUF only for a finite amount of time Ata. After this access period she 
tries to predict a secret S from the PUF to a challenge C, randomly chosen from 
the set of all challenges. She has no knowledge of the set of challenges and se- 
crets that will he used during the active lifetime of the PUF hut she has all other 
information that the manufacturer of the PUF has ahout the attacked individual 
PUF. 

The attack models assume that the attacker tries to predict S rather than R, 

^ Riihrmair et al.'s|15j PUF definition demanded that the original manufacturer of 
the PUF cannot produce two PUFs which are clones of each other (Armknecht 
et al.[T] demand this "existential unclonabiliy" only optionally.). "Selectively 
unclonability" [T] means that given physical access to the device an attacker can- 
not produce a clone. 

In practice existential unclonability would hardly enhance the security against a ma- 
licious manufacturer, for the following reason. She could produce "quasi-existential- 
PUF" devices that do not meet the PUF definition 1, but algorithmically simulate - 
e.g. with an keyed hash function - an output that cannot be discriminated from the 
one of an existential PUF. These quasi-existential-PUFs could be easily cloned by 
the malicious manufacturer, and could serve exactly the same purpose as clonable 
PUFs. 

As an alternative to existential unclonability we will propose a weaker "resistance- 
against-insider-attacks" security level in this section 12.21 
^ Therefore strong unpredictability in the sense of Armknecht et al. [l] will be necessary 
to protect the PUF. 
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because PF3 might be protected with non-PUF security mechanisms, e.g. with a 
secure tamper-resistance scheme in combination with a secure crypto algorithm. 
Such a security mechanism shah remain out of our consideration because we aim 
to define the security of the PUF itself. 

Security against a modcl-2 attacker corresponds to unclonability against an at- 
tacker who has most of the inside knowledge about the PUF production, but who 
cannot directly manipulate the production process. This unclonability is weaker 
than "existential unclonability" (see footnote 1) but perhaps more relevant in 
practice. 

Definition of a secure PUF The PUF-security definition now follows from 
the requirement that the attack shall be unsuccessful: 

- Formal definition 2 of the PUF-security objective 

A PUF is secure against an attack of a model-1 ("selectively unclonable" ) 
attacker if a model-1 attacker can compute or physically copy the func- 
tion PF2(PFi(C)) ~ S for not more than a negligible fraction L of chal- 
lenges from the set of all possible challenges. Here "compute" means via 
a computation independent of the PUF and corresponds to "mathematical 
cloning". "Physically copy" means to create a device that functionally repro- 
duces PF2(PFi(C)) and corresponds to "physical cloning". 

Replacing the model-1 by a model-2 attacker defines a PUF that is "insider 
selectively unclonable" . L is the security level of a secure PUF, i.e. the probability 
for an attacker to successfully predict the secret S for a challenge C without being 
in posession of the PUF after the access period. 

A precise quantification of "negligible", i.e. the decision which upper limit of 
L is required, cannot be made on the level of this general definition because it 
depends on the detailed security environment. L is analogous to the required 
probability p of a successful brute force attack in classical cryptography that 
depends on the key length. We propose as a reasonable upper limit on L that it 
is "negligible on a terrestrial scale" which has been estimated by Emile Borel as 
< 10- 15 [4]. 

3 Relation of PUFs to closely related concepts 

In this section we delineate the concept of a PUF as defined in section 12.11 and 
12.21 from five closely related concepts. 

3.1 PUFs and conventional unclonable functions ("CUFs") are 
qualitatively diff'erent 

Let us first differentiate between a PUF and a conventional physical function that 
serves the same function as a PUF (called "conventional unclonable function" 
CUF in the following). A CUF contains secret information that is protected 
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by tamper resistance, by anti side-channel- and fault-induction-attack measures 
and by a cryptographic algorithm that protects the secret from disclosure via the 
response. A CUF does not fulfill the PUF definition 1., because the secret does 
not depend on the challenge. In other words: The first physical secret readout 
step PFi(C) is a constant function in a CUF. 

PUF and CUF differ qualitatively in the way they protect the secret. In a PUF 
the lack of knowledge of the challenges protects the secret S in a similar sense 
that the lack of knowledge of a cryptographical key protects the clear text in 
a cipher text. There is no analogous "key" in a CUF. Its security mechanisms 
merely rely on physical barriers and arrangements that prevent access to secret 
information. 

3.2 PUFs and physically obfuscated keys are independent concepts 

Devices that extract physical information with "non-standard" methods are cur- 
rently called PUF even if there is no (or effectively a single fixed internal) chal- 
lenge (e.g. in SRAM PUFs[l^). In this case PFi() is formally constant, so that 
such devices are no PUFs in the sense of our definition 1. We endorse Riihrmair 
et al.'s suggestion p[5l to call information extracted in this way in general "phys- 
ically obfuscated keys" (POKs). This limit of N=l is the only one where devices 
that are currently called PUFs, would no longer be classified as PUF under our 
proposed definition. We find this appropriate because while POKs can enable 
valuable tamper-resistance mechanisms (see below), they are not the qualita- 
tively novel primitive of physical cryptography that PUFs promise to be (see 
section |6] for further discussion of the nature of this primitive) . 
The protection by obfuscation is valuable: it consists in the extra-time an at- 
tacker needs to learn the non-standard readout mechanism or position in a stan- 
dard memory where an obfuscated key has to be stored at least temporarily. 
POKs are delineated from CUF only by the "non-standard" qualifier because 
stored information is always physical [12]. The secrets of PUFs will usually be 
stored in a non-standard way, i.e. they will also be POKs. But this is no neces- 
sary requirement for a PUF. There is no fundamental reason why PUFs cannot 
have "standard" computer memories (see e.g. SIIICs[T7], a PUF using a stan- 
dard crossbar memory). 

Physically obfuscated functions (POFs) may also appear in PUF architectures. 
They are defined as computation with non-standard physical processes, e.g. via 
scattering of light or folding of proteins. 

3.3 Random number generators 

In both deterministic and physical random number generators the initial read- 
out step PFi (the read out of the seed) does not depend on a challenge C. 
In secure deterministic RNGs PFi(C) must be a constant function. In physi- 
cal RNGs PFi is not constant but intrinsically random, i.e. not deterministic. 
Therefore, RNGs do not meet the PUF definition 1. 
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3.4 Controlled PUFs: a PUF with additional tamper resistance 

In controlled PUFs [715] tamper-resistance measures prevent the attacker from 
obtaining C - Sr- pairs from the PUF. Only the C - R pairs - from which S,. 
cannot be derived if PF3 is a suitable, secure cryptographical algorithm - can be 
accessed by an attacker. It seems likely that PUFs e.g. used in smart cards will 
eventually all be controlled PUFs, because such an additional well understood 
security layer stands to reason. However the security of PUFs themselves should 
be analysed under the assumption of no such a control because if one trusts the 
control mechanism, mathematically clonable PUFs suffice anyway. 

3.5 "Strong PUFs": not the only path to strength 

Riihrmair et al. [15] defined a PUF to be "strong" if it "has so many C - R pairs 
... that an attack ... based on exhaustively measuring the C - R pairs has a 
negligible probability of success" . In our nomenclature a strong PUF is roughly 
a MRT-PUF that fulfills our second security requirement (see section [Ql below, 
for further explanation of MRT). It is thus appropriate to call them "strong", 
but there can be secure PUFs which are not "strong" in Riihrmair et al.'s sense, 
e.g. EUR-PUFs(see section [5^ below for further explanation of EUR). 

4 Security evaluation of PUFs 

A main purpose of the present proposed formal PUF definitions 1. and 2. of the 
concept "secure PUF" is to establish a consistent basis for security evaluations 
and certifications of PUFs. What is the structure of an evaluation on this basis? 
If the proposed PUF fulfills definition 1, the basic informal questions of a security 
evaluation based on definition 2 are: 

1. Which form has PFi(C) and by which physical mechanism is extracted? 

2. What is the form of PF2(Sr)=S and how is the function evaluated physically? 

3. What is the total information content in the set of all secrets S? 

4. For what fraction L of the allowed challenges can PF2(PFi(C)) be either 
mathematically computed or physically copied? 

5. Which comprehensible physical security mechanisms prevent an attacker to 
compute or copy PF2(PFi(C)) for more than a fraction L of all challenges? 

Answers to questions 1.-4. allow to evaluate quantitative and comprehensible 
security levels against "mathematical-cloning brute force attacks" (see section 
O. Question 5 will have a more qualitative answer, similar to answers to the 
question whether a mathematical cryptographic algorithm is secure against non- 
brute force attacks. 
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5 Analysis of PUF security mechanisms 

The holy grail of PUF construction is to construct PUFs that are unclonable i.e. 
fulfill the security definition 2 (section [22]) ■ If an attacker succeeds to access the 
PUF's internal secrets, she will usually be able to compute PF2. Because physical 
reproduction of a PUF without knowledge of its internal secrets will probably be 
hard in practicf[f|, PUF security mechanisms must above all prevent the attacker 
from computing PF2. In other words: mathematical unclonability is the hardest 
nut. Therefore we will classify the known PUF security mechanism and calculate 
their security level against brute-force mathematical cloning attacks. 
Up to now all proposed and constructed PUF^ are based on a mechanism that 
we propose to call "minimum readout time" (MRT) and that is further discussed 
in subsection 15.11 All these existing PUFs turn out to fulfill our PUF-definition 
1, i.e. they "remain" PUFs, even in case they have turned out to be clonable (see 
below). Because currently the MRT mechanism dominates the field, one might 
be tempted to equate the very concept of PUFs with it. However, the flexibility 
of our definition allows a completely different PUF security mechanism that we 
call "erasure upon read-out" (EUR) (see section 15. 2p for devices. One concrete 
EUR PUF, the quantum PUF will be introduced below. 

These examples show that our proposed definitions have achieved their aims: 
nearly all existing (MRT) PUFs can be included in its scope, but its fiexibility 
allows to include completely novel PUF constructions (the EUR PUFs). 

5.1 "Minimum readout time" PUFs 

This well known PUF security mechanism is to store a large enough number N 
of C - S pairs on the PUF so that the total time 

Att ^ Atr X N (1) 

to read them all out is much longer than the time Ata during which an attacker 
possesses the PUF. Atr is the read-out time for one C - S pair. The maximal 
fraction of pairs the attacker can read-out is then Ata/ Att = Lb/- Lb/ is the 
security level against mathematical-cloning brute force attacks. 
Pappu's optical PUF[T3], the arbiter PUFfS] and nearly all other current PUFs 
are MRT-PUFfH. These constructions are valid PUFs according to our definition 
because their values of PF2 changes with the challenge. 

However, many of the existing PUFs are insecure according to our definition 
because Riihrmair et al.[16 succeeded to employ machine-learning methods that 
allow to infer PF2(PFi()) from a small fraction of all C - R for which only 
short Ata is necessary [16,. Because all C - S pairs can be thus predicted, the 

^ But not necessarily impossible. She could e.g. succeed to reproduce to clone a PUF 

exactly copying its production process. 

In the sense of this paper, i.e. excluding POKs. 
^ The only exception are "PUFs" with only one challenge which we propose to call 

only "POKs" in the future, see section [3^ 
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security level against machine-learning attacks L„j; = 1 which is "not negligible" 
in general, i.e. the PUF must be considered mathematically clonable according 
to PUF-security definition 2. 

The exact form of PF() depends on the detailed architecture of the MKT PUF. 
In general MKT PUFs can be hardened against mathematical cloning if their 
PF2(PFi) fulfills the following demands: 
Security requirements for the MRT-PUF 

- N must satisfy: N > L-^{Ata/Atr) 

- Suppose PF2(PFi(Cn)) — Sn with n — 1...N where both Cn and Sn contain 
£ bits. Then the combined information content (entropy) I of all Cn and Sn 
must satisfy: I > 2 N £ 

- The set of challenges to be used in operation must not be contained in any 
form in the PUF. 

- The lengths of the challenge £ and response £$ must both fulfill: £,£s ^ 
log2(N). 

The first condition expresses that to prevent brute force mathematical-cloning 
attacks the number of stored C - R pairs N must be extremely large if L = 
10~^^, (see section [2?2] on the choice of L). With representative values of Ata = 
1 day and Atr — 1 second the required N would be on the order of 10^° which is 
exponentially larger than e.g. storable in common data storage devices of much 
larger size than a typical PUF. This is the sense in which a secure MKT-PUF 
requires the storage of an "exponentially large" secret. The second condition 
expresses that in order to reliably ward successful machine-learning attacks PF2 
must be just an ordered list of C - S pairs with random values that cannot 
be represented in any more compact form. The third requirement prevents an 
attack in which only the set of challenges to be used in the field operation of a 
PUF (which is much smaller than dJl in secure MKT PUFs) are extracted in an 
attack. The fourth constraint is necessary to avoid a decrease in the the effective 
L. 

5.2 "Erasure Upon Readout" PUFs Quantum PUFs 

Consider a PUF with only a single C - S pair foreseen by the system architecture. 
Because there is at least one other non- foreseen C, there are then at least two 
possible C. A novel PUF security mechanism requires the following: 
Security requirements for "Erasure Upon Readout" (EUR) PUF 

- The correct S is returned if the challenge C is correct ( i. e. the one foreseen 
by the PUF's architecture) and S is erased and returns a random value if it 
is not. 

- The length of the challenge £ and response £s must both fulfill £,£3 ^ log2(l/L). 

- The set of challenges to be used in operation must not be contained in any 
form in the PUF. 
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EUR PUFs can fulfill the PUF-definition 1 if they are non-constant PFs that 
are deterministic for the foreseen set of challenges. For EUR PUFs - completely 
opposite to the MRT case (see section [Q]) - the total number of challenges "N" 
can remain as small as 2 but still be secure because by way of the second and 
third security requirement the probability to guess the correct challenge is only 
L and challenging with the wrong challenge will erase S by the first requirement. 
N can be chosen to as many different challenges as are actually needed during 
the practical deployment of the PUFs. 

The only concrete "Erasure Upon Readout" architecture proposed up to now, 
is Wiesner's "quantum money" and "quantum unforgeable subway token" [2113] 
that can be described as an electronic hardware device running a challenge - 
response protocol (such a kind of "money" or "token" has to be) and that fulfill 
our definition 1 of a PUF. In such a "quantum-PUF" the secret information 
consists of i quantum- mechanical two-state systems ( "qubits" ) that are prepared 
either in one of the two quantum mechanical so called "Fock" states |0) or |1) 
(base # 0) or in cither one of the states ^ (|0) + |1)) or ^ (|0} - |1)) (base # 1). 
|0) and (|0) + |1)) encode a "0" secret bit and |1) and (|0) - |1)) encode a 
"1" secret bit. The challenge bits indicate the correct chosen measurement bases. 
The raw secret is encoded with the choice of the state within a chosen basis 
according to the rule stated above. 

In order to decode or copy S^., it is necessary to know in which of the two bases # 
or # 1 the £ qubits for one challenge were prepared. If a qubit is read out in a 
wrong base, the laws of quantum mechanics determine that the read-out result is 
a perfect random number and additional read out attempts will again yield this 
random number, rather than the original, correct number. The physical function 
PF of the quantum-PUF is thus given as: 
Quantum-EUR PFi(): 

- First read-out: 

PFi (correct base bit) = correct bit of Sr 
PFi (incorrect base bit) — random bit. 

- Any further read-out in the same base: 
PFi() — same bit as in first read-out 

Evidently in the first read-out PFi is not constant and deterministic for the fore- 
seen C i.e. a quantum-PUF fulfills definition 1. Reading out a C - S pair more 
than once is possible, but after the first read-out, the information is no longer 
secure because the qubits are no longer in a quantum-mechanical superposition 
of states. 

In the most simple case without any read-out errors or inefficiencies (so that 
no further processing is done PF2(Sr)= S^) and implementation mistakes (an 
assumption that will be difficult to fulfill [TH]) the only potentially successful 
attack is to guess the challenge. On average, for half of the bits the guess will 
be correct and the correct corresponding bits of will be output. For the other 
half the probability to get the correct output bit is 1/2. The total probability 
to get a correct output bit of is therefore 0.75 and Lq = (|)~^, which is 
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the absolute (i.e. not only mathematical-cloning brute force) security level of a 
quantum-PUF against this attack. E.g. with a secret S,- consisting of 128 qubits, 
L < 10""'^^ thus fulfilling the criterion for a secure PUF with Borel's estimate for 
an upper bound on L (see section [2.2^ . Wiesner's quantum money, interpreted 
as a "quantum PUF" , thus proves that an absolutely unclonable PUF is not in 
contradiction to the laws of physics. 

The use of quantum-PUFs for authentication is beyond the reach of current 
technology because qubits are unavoidably read out on very short timescales 
(presently qubits cannot be isolated for longer than milliseconds 6 ) by interac- 
tions with their environment. As explained above, quantum-PUFs are no longer 
secure after read-out. Quantum crvptographvflS] can be described as sending a 
quantum-PUF in the form of a chain of photons in order to distribute its secret S 
for use as cryptographic key. In the laboratory such a "light-field" PUF remains 
in the initially prepared coherent state for no longer than about a millisecond. 

6 Discussion 

The protection of secrets in hardware devices that need to access these secrets 
in their normal operation - a necessary condition for any authentication pro- 
cedure - cannot be implemented with methods of mathematical cryptography 
alone. Some physical protection mechanism is needed. The conventional tamper 
resistance mechanisms (employed in CUFs see section 13. ip rely on protecting 
the memory with physical barriers. CUFs withstand known, vigorous direct at- 
tacks typically for not longer than a few months [TH]. We showed that PUFs are 
a qualitatively novel alternative. The secret is protected by the absence of infor- 
mation from the device of where of where the challenge is stored. In CUFs and 
POKs this information must exist on the device because otherwise the response 
cannot be evaluated, even if it is protected by direct, physical barriers. Thereby 
PUFs protect the secret by a novel genuine primitive of physical cryptography. 
The possibility of realizing PUFs based on the principles of quantum mechanics 
demonstrates that in principle the laws of physics allow to construct absolutely 
secure PUFs. This situation motivates more security-related physics research 
on unclonable quantum-PUF and MRT-PUF, to invent entirely new PUF con- 
struction principles. The real PUF promise are PUFs that withstand any known, 
practical attack, period, i.e. provide a level of authenticity protection similar to 
the one provided by mathematical cryptography for confidentiality. 
In the future PUFs will probably authenticate hardware devices. If Alice knows 
the C - Sr pairs of a PUF she gave to Bob (e.g. from the designer of the PUF) 
she can publicly broadcast a challenge and be sure that the correct response S 
can only be created on Bob's original PUF. Therefore effectively PUFs allow the 
remote distribution of authenticated secret entropy (the S for Bob) via sending 
the challenges (the C chosen and sent by Alice) over standard channels. These 
entropy could "update" the secrets in conventional unclonable functions. In this 
way existing architectures based on CUFs could be augmented by PUFs without 
the need for a completely new PUF security architecture. 



14 



Acknowledgements. We thank R. Breithaupt, U. Gebhardt, M. Ullmann, 
C. Wicschobrink and anonymous referees at the TrustED 2011 and PILATES 
2012 workshops for helpful discussion and criticism on earlier versions of this 
manuscript. 

References 

1. F. Armknecht et al., A Formal Foundation for the Security Features of Physical 
Functions, IEEE Symposium on Security and Privacy (SSP), p. 397-412, IEEE 
Computer Society, May 2011. 

2. F. Armknecht et al.. Memory Leakage-Resilient Encryption Based on Physically 
Unclonable Functions., ASIACRYPT '09 Proceedings of the 15th International 
Conference on the Theory and Application of Cryptology and Information Security: 
Advances in Cryptology. 

3. C.H. Bennett, G. Brassard, S.Brcidbart, S. Wiesner, Quantum Cryptography, or 
Unforgeable Subway Tokens, Advances in Cryptography: Proceedings of CRYPTO 
82, Plenum Press, pp. 267-275 (1983). 

4. E. Borel, Probabilities and life, Dover, (1962). 

5. H.Busch et al.. The PUF Promise, Lecture Notes in Computer Science, 2010, Vol- 
ume 6101/2010, 290-297. 

6. J.Fischer, D.Loss, Dealing with decoherence, Science 324, 1277 (2009). 

7. B.Gassend, D.Clarke, M.van Dijk, S.Devadas, Controlled physical random func- 
tions. Proceedings ACS AC '02 Proceedings of the 18th Annual Computer Security 
Applications Conference (2002). 

8. B. Gassend, D. Clarke, M. van Dijk, S. Devadas, Delay-Based Circuit Authentica- 
tion and Applications. In Proc. of the 18th Annual ACM Symposium on Applied 
Computing, March 2003. 

9. B. Gassend, M. van Dijk, D.E. Clarke, E. Torlak, P. Tuyls, Controlled physical 
random functions and applications. ACM Trans. Inf. Syst. Secur. 10,4, article 15 
(2008). 

10. J. Guajardo et al., FPGA intrinsic PUFs and their use for IP protection, CHES 
2007, P.Paillier, I.Verbauwhede (eds.), LNCS 4727, 63 - 80, Springer, (2007). 

11. D. Lim ct al., Extracting Secret Keys From Integrated Circuits, IEEE TRANS, on 
very large scale integration (VLSI) systems, 13,(10) 1220, (2005). 

12. R. Landauer, Information is physical, Physics Today,23 (May 1991). 

13. R.Maes, I.Verbauwhede, A discussion on the Properties of Physically Unclonable 
Functions, TRUST-2010 Workshop, Bcrhn (2010). 

14. R.Pappu, Physical One-Way Functions, PhD thesis, MIT, 2001; R.Pappu, B.Recht, 
J.Taylor, N.Gershenfeld, Science, 297,2026 (2002). 

15. U.Riihrmair, J.Soltner, F.Sehnke, On the Foundations of Physical Unclonable 
Functions, Cryptology cPrint Archive, Report 2009/277. 

16. U. Riihrmair, F. Sehnke, J. Solter, G. Dror, S. Devadas, and J. Schmidhuber, Mod- 
eling attacks on physical unclonable functions, in ACM conference on Computer 
and communications security (CCS), 2010, pp. 237 - 249. 

17. U. Riihrmair, C. Jaeger, M. Algasinger, An Attack on PUF-based Session Key Ex- 
change, and a Hardware-based Countermeasure: Erasable PUFs, 15th International 
Conference on Financial Cryptography and Data Security, St. Lucia, February 28 
March 4, 2011. 



15 



18. V.Scarani, C.Kurtsiefer, The black paper of quantum cryptography: real implemen- 
tation vroblems. larXiv:0906.4547V l (2009). 

19. C. Tarnovsky, Deconstructing a "secure" processor, Black Hat Con- 
ference, Washington, https;/ /www.blackhat.com/presentations/bh-dc- 
10/Tarnovsky_Chris/BlackHat-DC-2010- Tarnovsky- DASP-slides.pdf, (2010). 

20. H.C.A. van Tilborg (ed.), Encyclopedia of cryptography and security, Springer, New 
York, (2005). 

21. S. Wiesner, Conjugate coding, Sigact News, 15, 78 (1983). 



